4.3.2 RADIUS Authentication

RADIUS enables communication between remote access servers and a central server using secure token authentication.

Access Manager supports both PIN and challenge-and-response methods of token-based authentication. RADIUS represents token-based authentication methods to authenticate a user, based on something a user possesses. For example, a token card. Token challenge-response is supported for two-step processes that are necessary to authenticate a user.

Perform the following steps to configure RADIUS authentication:

  1. Click Devices > Identity Server > Edit > Local > Classes.

  2. Click New.

  3. Specify a display name, and then select RadiusClass or ProtectedRadiusClass from the list.

  4. Click Next.

  5. Click New to add an IP address for the RADIUS server.

    You can add additional servers for failover purposes.

  6. Click OK.

  7. Specify the following details:

    Field

    Description

    Port

    The port of the RADIUS server.

    Shared Secret

    The RADIUS shared secret.

    Reply Time

    The total time to wait for a reply in milliseconds.

    Resend Time

    The time to wait in milliseconds between requests.

    Server Failure Retry

    The time in milliseconds that must elapse before a failed server is retried.

    JSP

    Specify the name of the login page if you want to use something other than the default page.

    The filename must be specified without the JSP extension. The default page is used if nothing is specified.

    Use Look Attribute Name

    Specify the LDAP attribute on which the user will be searched in the Radius server. CN is the default attribute.

    Require Password

    Select to require the user to also specify an LDAP password.

  8. Click Finish.

  9. Create a method for this class.

    For instructions, see Section 4.1.3, Configuring Authentication Methods.

  10. Create a contract for the method.

    For instructions, see Section 4.1.4, Configuring Authentication Contracts.

    If you want to make the users’ credentials available for Identity Injection policies and you did not select Require Password, add the password fetch method as a second method to the contract. For more information about this class and method, see Section 4.1.10, Password Retrieval.

  11. Update Identity Server.